In this interview, Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.

How is the cloud shaping the modern security architecture? Have we reached the point where it's unpractical not to use it?

Leveraging the cloud is really inevitable. IT organizations are moving infrastructure, applications, and data to the cloud for management benefits, and end user organizations appreciate the benefits of cloud services for more rapid time-to-value.

The cloud brings new issues to IT organizations:

Change in attack surface. As IT organizations move their applications and their data to public clouds and SaaS, there are new surfaces for hackers to attack.

Loss of control over devices and networks. As cloud enables anytime / anywhere access, users are accessing their data from devices and networks not controlled by the company.

Empowerment of end user organizations. The emergence of the cloud has empowered end user organizations (e.g., sales, marketing, HR, support) to deploy applications without IT involvement, dramatically impacting governance issues around security posture.

Shift in IT resource allocation. Usage of the cloud shifts the burden of hosting servers on premises toward providing adequate network connectivity and traffic prioritization to business critical cloud services. It also requires a shift in allocation from traditional backhauling of data center traffic over private networks towards providing local Internet access from remote offices.

Still, there is much to be leveraged in the security architecture by providing security in the cloud:

Ability to provide protection everywhere. Utilizing cloud security services can help protect users wherever they are connected and still provide central IT management and reporting on security posture.

Ability to terminate connections and analyze threats to block them before they reach the customerís networks or devices.

Ability to leverage vast amounts of crowd-sourced data in real-time to perform functions such as global Bayesian analysis or polymorphic virus detection that were previously inaccessible to organizations who did not leverage the cloud.

Ability to provide redundancy during customer site outages.

Ability to leverage elastic-compute to handle operations that may exceed the processing power of typical endpoint network security devices.

What security technologies have benefited the most from the cloud?

Many technologies benefit from the cloud. One of the most impactful has been cloud-based, real-time threat protection.

The familiar security concept introduced by desktop anti-virus vendors was to collect virus samples from some subset of customers, produce definitions and have endpoints download those definitions on a periodic basis. The relative isolation of every individual attack instance on which to collect data and the periodic nature of updates in the old world created relatively long attack windows for attackers to exploit.

With the adoption of real-time threat protection services that leverage the cloud, real-time lookups themselves can generate data that can be used to make block decisions instantly, thwarting attacks automatically once they are released in the wild. This use of cloud and big data has dramatically reduced the length of attack windows, in many cases changing the economics and targeting of attacks in general.

Spotlight

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

There is still way too much apathy when it comes to data-centric security. Given the sensitive data the OPM was tasked with protecting, it should have had state-of-the-art data protection, but instead it has become the poster child for IT security neglect.